ESS 8 not logging anything in firewall log

[cutting_edgetech 25]

Eset Smart Security is not logging anything in it's firewall log, but it should at least be logging blocked events from type accents. I created a rule for outbound traffic from type accents. Type accents is constantly requesting outbound access so I chose block, and remember action. ESS should at least be logging blocked outbound request from type accents, but it is logging nothing at all. I had Online Armor installed before, and it logged many blocked request from type accents in it's log file. Does something have to be done to enable logging?

[cutting_edgetech 25]

I just found the following buried in the settings. Log all blocked connections, and log blocked incoming worm attacks. I ticked both of them. Does log all blocked connections have to be ticked before ESS firewall log will work at all? It has not been logging anything.

[rugk 397]

The screenshot you added is from the IDS settings which are part of the firewall, but which are unrelated to any firewall rules you have created in the rules and zones editor.

That's why ESS doesn't created any logs for any firewall rules if you select these "log settings".

 

But in the settings of the specific firewall rule (in the rules and zones editor) you can enable to log when the rule is triggered.

[cutting_edgetech 25]

I didn't try enabling log all blocked connections, and log blocked incoming worm attacks until now. I didn't have them ticked before, and ESS did not log anything then. After ticking those 2 boxes ESET at least logged something in the firewall log. Before it logged nothing.

[Marcos 5,069]

Enable "Log all blocked communication" box in the IDS setup only to troubleshoot a connection issue, otherwise the firewall log may grow rapidly and take up a lot of space on the disk as well.

To log events when a blocking rule is applied, edit the desired rule and tick the "Log" box.

[cutting_edgetech 25]

I will try editing the rule for Type Acents to see if it logs it's blocked outbound request. That still does not fully answer my question as to why it is not logging anything in the Firewall log. Is there something else that needs to be enabled so the logging will work? It is not logging anything in the firewall log at all. I ran PC flanks leak test hoping it would log something, but it failed the test. Is ESS default rule set so lenient that its not blocking anything to log? Online Armor logged many ICMP destination unreachable request on my machines. What action does ESS take with ICMP destination unreachable request? Also does it log them?

[rugk 397]

Again I'd like to explain that you have to differentiate between two (or tree) things in the detection and protection technology of ESS.

• There are the Firewall rules. These are simple allow/block/ask-rules which control whether an application or IP gets inbound or outbound network access. This is done by checking the local/remote IP, application, port and so on against the rules, so that it will either allowed or block the communication.
  You could say it checks the metadata of the network traffic.
• There is the IDS. This is a system which analyses the network traffic and blocks attacks regardless of the "metadata".
  So here you could say it checks the content of the network data. (however some metadata may play a role too, but this isn't important now)
• And in ESS v8 there is a special Botnet blocker. This works similar as the IDS system, because it also analyses the content of the network traffic, but here it tries to identify local processes which are behaving strange (like a bot).

And all of these parts have separate log settings. However generally all things are logged into the same log file - the log file for the firewall.
The botnet blocker has AFAIK no log file or it is also logged in the firewall log - I don't know this as I couldn't test it until now.
 
I think the "big attacks" which are detected by IDS are already logged (and in some cases you will maybe also see a notification).
And as Marcos said the other checkboxes you can select there about logging are only for troubleshooting - they are not by pure chance below the point "Troubleshooting"...

 
And then there are settings about the firewall rules, you talked at your first post:

I created a rule for outbound traffic from type accents. Type accents is constantly requesting outbound access so I chose block, and remember action. ESS should at least be logging blocked outbound request from type accents, but it is logging nothing at all.

 

In this case you have to adjust the rule, so that it will be logged when this rule is "triggered".

To do so check the checkbox "Log" in the settings of the specific rule:

 

You have to do this for all rules you like to log.

 

 

Now about "ICMP destination unreachable":

The thing you talk about is (e.g.) a simple reply from a ping command, which indicates that the server/IP is not reachable.

I see no reason why this should be blocked and I can't imagine any case where it would cause a security risk.

 

But generally: What ESS does with other ICMP attacks you can read in the in-product help and I also marked the corresponding IDS setting.

Edited January 19, 2015 by rugk

[cutting_edgetech 25]

If something triggers Eset's intrusion Detection does Eset log it in the firewall log by default? I don't see any option to enable logging for Intrusion Detection which is listed in the IDS Advanced Settings.

[rugk 397]

I think at least for the blocks it also shows messages it logs something, yes.

 

For all other things you can enable IDS logging under "Troubleshooting":

Edited April 16, 2015 by rugk

[cutting_edgetech 25]

Thank you! I was hoping detected attacks would be logged. I used the trouble shooting log before, and it logs everything. It's really only good for trouble shooting to me. If I had an allow rule for an application, and the application still could not access the internet then I would turn that on if the logging for the application did not show anything blocking it.

 

Edited 4/17 @6:41

Edited April 17, 2015 by cutting_edgetech

[cutting_edgetech 25]

If I want to enable logging for a specific application, and only log blocked packets then is that possible? I only saw the option to log allowed, and blocked packets.

[Marcos 5,069]

If I want to enable logging for a specific application, and only log blocked packets then is that possible? I only saw the option to log allowed, and blocked packets.

 

That's not possible. What you could do is disable logging of blocked connections in the IDS setup in general, create a blocking rule for a specific application and enable logging in the rule setup. Applying the rule will be logged in your firewall log then.

[cutting_edgetech 25]

Thank you for your help Macros! Honestly the IDS logging is more important to me than logging dropped packets for a specific application. It was something I was wanting to enable for a long period of time, and I wanted to log all dropped packet for the application instead of for just one rule.